[JEP-237] disable escapeHatch when Jenkins is in FIPS mode

[olamy]

The escapeHatch login uses a non compliant encryption library (along with an non compliant encryption algotithm) (BCrypt) for storing the escape hatch password.

Whilst some equivallent functionality could be written (storing the password in PBKDF2 for example), the security implications on a back-door user in a FIPS compliant setup would be questionable.
Therefor this PR just disables the ability to create or use the escapeHatch when Jenkins is in FIPS mode.

This PR does not mean that the plugin is now FIPS compliant, it just makes it one step closer to be by removing one blocker.

Signed-off-by: Olivier Lamy [email protected]

Testing done

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[codecov]

Codecov Report

Attention: Patch coverage is 57.14286% with 3 lines in your changes missing coverage. Please review.

Project coverage is 71.77%. Comparing base (45809bf) to head (ab4ab83).
Report is 16 commits behind head on master.

Files with missing lines	Patch %	Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java	57.14%	3 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #418      +/-   ##
============================================
- Coverage     71.88%   71.77%   -0.12%     
- Complexity      206      208       +2     
============================================
  Files            16       16              
  Lines           900      907       +7     
  Branches        126      126              
============================================
+ Hits            647      651       +4     
- Misses          186      189       +3     
  Partials         67       67              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[olly-cb]

let's be honest Codecov is useless here....

[fcojfernandez]

maybe we should add a test proving that in CasC the escape hatch cannot be configured.

[olamy]

oops I forgot a test class :)

missing one thing

[fcojfernandez]

as per https://github.com/jtnord/oic-auth-plugin/pull/1/files, this check should be included in the readresolve

[olamy]

as per https://github.com/jtnord/oic-auth-plugin/pull/1/files, this check should be included in the readresolve

done with 4623768